Tuts+ Premium Security Breach & The Marketplaces

Yes, I agree that they should have, but I can also tell you that moving away from amember is a serious pain. I’ve had to do it before and it is excruciatingly difficult.

The main reason it is hard is because you have thousands of live PayPal subscriptions, which, due to limitations of PayPal and Amember, cannot be simply moved to a new system. In order to move to a new system, you have to work out ways to “steal” the subscriptions away from amember.

I know this because I’m trying to move a really old site away from amember right now, and I know several other people doing the same thing.

mordauk said
Yes, I agree that they should have, but I can also tell you that moving away from amember is a serious pain. I’ve had to do it before and it is excruciatingly difficult.

Oh, and that’s not to say that it being a serious pain is a good enough reason to not do it, because that’s definitely not the case.

mordauk said
I’d like to point out that it was as much a fault of aMember (the software used to run Tuts+) as it was Envato, yet NO ONE is yelling at them. Seriously? Amember is one of the largest and most widely used membership softwares on the net. It was definitely very, very negligent of Envato to not fix the issue sooner, but if you’re going to yell at someone, yell at both of them.

Envato must make over $500,000 every month. I’m pretty damn sure a company like Envato can afford to have every single line in their code examined for security, performance etc. Envato knew about this bug since last year.

when you build a website you plan with security in mind.

this amember or whatever store passwords as plain text?

you don’t use it!

Thecodingdude said

mordauk said
I’d like to point out that it was as much a fault of aMember (the software used to run Tuts+) as it was Envato, yet NO ONE is yelling at them. Seriously? Amember is one of the largest and most widely used membership softwares on the net. It was definitely very, very negligent of Envato to not fix the issue sooner, but if you’re going to yell at someone, yell at both of them.

Envato must make over $500,000 every month. I’m pretty damn sure a company like Envato can afford to have every single line in their code examined for security, performance etc. Envato knew about this bug since last year.

I never said they shouldn’t have or could not have. I was simply pointing out that making the move is very difficult.

mordauk said

Thecodingdude said

mordauk said
I’d like to point out that it was as much a fault of aMember (the software used to run Tuts+) as it was Envato, yet NO ONE is yelling at them. Seriously? Amember is one of the largest and most widely used membership softwares on the net. It was definitely very, very negligent of Envato to not fix the issue sooner, but if you’re going to yell at someone, yell at both of them.

Envato must make over $500,000 every month. I’m pretty damn sure a company like Envato can afford to have every single line in their code examined for security, performance etc. Envato knew about this bug since last year.

I never said they shouldn’t have or could not have. I was simply pointing out that making the move is very difficult.

Envato patched the issue within 48 hours, don’t give me bullshit about it being difficult. Yeah, it is when you’ve got an entire team of useless “developers”.

Envato have had over 6 months to patch the issue, instead they wait for the breach to happen and then update it – do you see the logic because I certainly don’t?

i hope the marketplace passwords are encrypted using a custom algorithm and not something that can easily be reversed (such as md5 etc.)

:-/

anywho good to see the tuts+ team have the website back up and running now: http://tutsplus.com

hats off for been transparent about the issue and not covering it up like most other compromised sites would.

@dtbaker, I would say it is a safety measure rather than transparency. Don’t praise people on wrong times. If the hackers do bad things with the member data, someday this thing may come out by itself with different kind of pressure. So as of now, they did what should be done to reduce/avoid the potential damage. Do we know how many members missed to understand this thing happened and they supposed to change something on somewhere?

Edit: dtbaker, just quoting your comment because, from pure technical perspectives Envato really deserve more critics rather than comparisons with different sites to convince everything going well.

Thecodingdude said

mordauk said

Thecodingdude said

mordauk said
I’d like to point out that it was as much a fault of aMember (the software used to run Tuts+) as it was Envato, yet NO ONE is yelling at them. Seriously? Amember is one of the largest and most widely used membership softwares on the net. It was definitely very, very negligent of Envato to not fix the issue sooner, but if you’re going to yell at someone, yell at both of them.

Envato must make over $500,000 every month. I’m pretty damn sure a company like Envato can afford to have every single line in their code examined for security, performance etc. Envato knew about this bug since last year.

I never said they shouldn’t have or could not have. I was simply pointing out that making the move is very difficult.

Envato patched the issue within 48 hours, don’t give me bullshit about it being difficult. Yeah, it is when you’ve got an entire team of useless “developers”.

Envato have had over 6 months to patch the issue, instead they wait for the breach to happen and then update it – do you see the logic because I certainly don’t?

Dude, not trying to start a war. Just because it can be done in 48 hours does not mean it isn’t extremely difficult. They have a large development team with a ton of skill. It’s obvious they can (they did) do it.

Anyhow, I NEVER said it shouldn’t have happened a long time ago.

And please, come on, don’t call Envato developers useless. Not fixing the security breach was a mistake higher up. If it wasn’t for the fantastic Envato devs, we wouldn’t have these great marketplaces.